Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now
25
Global rank
9 infographic chevron month
Month rank
7 infographic chevron week
Week rank
0
IOCs

Vidar is a dangerous malware that steals information and cryptocurrency from infected users. It derives its name from the ancient Scandinavian god of Vengeance. This stealer has been terrorizing the internet since 2018.

Trojan
Type
ex-USSR
Origin
1 December, 2018
First seen
22 September, 2025
Last seen

How to analyze Vidar with ANY.RUN

Type
ex-USSR
Origin
1 December, 2018
First seen
22 September, 2025
Last seen

IOCs

IP addresses
95.216.180.153
45.84.1.88
103.125.190.248
Hashes
af654dfab98e93b7e203c08db19901eab6f7dfc70b71e5a0eec87a3ba9b92a09
7d737a69ae779654371aff951a05311b38962e87498cda335a6a8f8a803d86ce
db3a352fd93106437a6a700fea49d1d0403b11d7859155ecfd3a1e2a707db14f
916762c33b9402450077c84dc1cf027173c1d00ecb1c7cae3ae2d8ecbad1263c
99fae1fe1739052540a8a99cb4377fb9c0a575a3b880d96940f6c06b12d50edf
3dae32e22775721f2f9de5fec79dbcd8d62adaeb057b47c4524e02d130a43b25
b8da124e50d54e5b84d5823a8736638bbec4becff75527531891c250cbfcb0a7
752d700195073767a9349fda21a6b4c1d8b6cc87c64a891a3abe3b8e060c5bab
36213f57ceabe23ef76ec56f006c6fc1a1f03a6c94949b0f14b8e6dec26af98b
42935313c4d3414c6d0424eb25b62f71837dad19ba11b4d8768d08b9735bed98
9d204eddaebd3d8624349b9492a3f3c8cc5a524e848419bb039d739b4d152292
5b654bf465fa3ee44a81212d37b50ac72a286216fcfd3034afe0153f0ce8971f
b6cf48ed4c80605176d614acb10c7b622325b09500426abc5807b2cb045bccdb
40849c0f5f42841e181fd6d62223f791269d24f78123288c2eaa7540918568a0
2040a9add2ed71beb77c5440ef8c12e033c26488aaaed73333d97db37d9b02b2
627ceca2f4d66a6754bf21bcf3cf749c9af14079384e8968cf85f3a7feea9a9a
f3d632d94ba690a9c5ba5760f2ff92d00e44edfe148e4ca8cf2552c28e6ab1de
863fe9a5c43ab0742476b25e863e4bc56ad2acb7b1cc393e952f5ea6d2f96ed6
fc92a37321a2303e54602e86e641edb4ca724a367eaef8553bdef7e4865e1066
3ecfe375bd64aa9e53b2d439c8ea9974af664aa36d060239ae7ddd1d796e0309
Domains
tiny.cc
ip-api.com
l3monrat.com
URLs
http://80.92.206.80/
http://worthknowing.us/1.jpg
http://worthknowing.us/6.jpg
http://worthknowing.us/7.jpg
http://worthknowing.us/4.jpg
http://worthknowing.us/3.jpg
http://worthknowing.us/5.jpg
http://worthknowing.us/2.jpg
http://vidro1.zzz.com.ua/
http://vidro1.zzz.com.ua/11
http://23.88.36.149/897
http://23.88.36.149/package.zip
http://23.88.36.149/
http://itskuba.com/1g/1.jpg
http://www.itskuba.com/1g/3.jpg
http://itskuba.com/1g/4.jpg
http://itskuba.com/1g/3.jpg
http://itskuba.com/1g/6.jpg
http://www.itskuba.com/1g/5.jpg
http://www.itskuba.com/1g/2.jpg
Last Seen at
Last Seen at

Recent blog posts

post image
Efficient SOC: How to Detect and Solve Incide...
watchers 619
comments 0
post image
ANY.RUN & Palo Alto Networks Cortex XSOAR...
watchers 711
comments 0
post image
Lazarus Group Attacks in 2025: Here's Everyth...
watchers 4274
comments 0

What is Vidar malware?

Vidar is an information stealer trojan that was first identified in December 2018. It is either a fork of Arkei or the result of its evolution. Named after the god of vengeance from Scandinavian mythology, Vidar is used to steal information from infected systems, take screenshots, steal cryptocurrency, and more.

General description of Vidar malware

Vidar is presumed to have originated in a Russian-speaking country since the malware is configured to stop execution if it detects that it is being run on a machine that is located in one of the ex-USSR nations or on one that has a Russian keyboard layout.

Being another cyber threat that is available for purchase based on the MaaS (Malware-as-a-Service) business model, Vidar can be purchased on its “official” website for a hefty price tag of $700, at least for the PRO version. Though, a stripped-down version of the malware can be obtained for just $250.

According to the Vidar trojan analysis, malware is written in the C++ programming language. Purchasing account grants the attacker access to a control panel where the cybercriminal can set up the infostealer malware to target particular information on the victims’ PC. Like Arkei, cybercriminals need to take precautions to secure the main payload themselves, using crypto or a packer. The control panel displays the current builder version, user settings, malware status, and logs. It should be noted that Vidar data stealer uses domain names to search for C&C servers, where stolen data is being dropped, changing every four days. Though they are steadily changing, a constant response is required.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Vidar is capable of stealing text files in multiple formats, browser cookies and history, browser records, including data from TOR, as well as autofill value information, including banking and credit card details. Based on the Vidar analysis, the stealer malware can search for cryptocurrency wallet information, take screenshots and act as a message stealer, recording private messages from various software.

What’s more, Vidar is also known to be able to steal digital coins from offline wallets. In fact, holders of Litecoin, Bitcoin, Ethereum, Zcash, and DashCore are in potential danger, as these are the cryptocurrencies currently supported by this infostealer malware.

After collecting all targeted information, this stealer malware archives it and sends the stolen data to a control server, after which Vidar removes traces of its work and deletes itself from the system.

Vidar analysis

An analysis recorded in ANY.RUN malware hunting service allows us to take a closer look at the lifecycle of Vidar and perform Vidar analysis.

arkei execution process tree

Figure 1: A visual process graph generated by ANY.RUN

text report of the arkei malware analysis

Figure 2: The customizable text report provided by ANY.RUN is a perfect tool to share the results of an analysis

Vidar execution process

According to the Vidar analysis, after the user downloads and runs a malicious file, it spawns a child process and collects information from the infected system. Often, after the information was collected, the malware kills and deletes itself from the system through a command-line command.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

How to avoid infection by Vidar malware?

When spread via spam email campaigns like NanoCore or Agent Tesla, the Vidar stealer requires the user to download and run a malicious file to enter an active state and begin execution. Therefore, following some basic cybersecurity rules can ensure that users will stay safe from Vidar malware and the incident response team will work effectively.

As such, users should be careful when downloading attachments in emails from unknown senders. The best practice is to avoid downloading such files altogether, therefore not putting oneself in danger at all.

In addition, downloading only licensed software from trustworthy sources and avoiding gaming hacking clients greatly reduced the risk of being infected with malware such as Vidar trojan, which uses these attack vectors to infect victims.

The distribution process of Vidar

According to the Vidar trojan analysis, Vidar is distributed through spam email campaigns as a malicious attachment, like other malware. In addition, cases of Vidar being distributed using shady software and gaming hack clients have also been recorded. Vidar infostealer targets users all over the world, except some ex-USSR countries, including Russia.

How to detect Vidar using ANY.RUN?

Some malware creates files in which it named itself. You can find such info about Vidar trojan using ANY.RUN's Static Discovering during your Vidar analysis. Open either the "Files" tab in the lower part of the task's window or click on the process and then on the "More Info" button in the appeared window. After that, all you need to do is click on the file.

arkei vidar log file Figure 3: Vidar's log file

Conclusion

Vidar is a hazardous information stealer trojan, distributed as malware as a service. Thanks to its extensive stealer feature set, Vidar trojan can be used to retrieve a wide variety of information, including stealing select cryptocurrency coins from the users. Additionally, Vidar is capable of stealing data from TOR.

Thankfully, malware hunting services like ANY.RUN allows researchers to conduct extensive studies of malware samples in a secure environment, allowing them to spread information about the danger and develop effective countermeasures and incident response.

Create your free ANY.RUN account to analyze malware and phishing without limits!

HAVE A LOOK AT

NetSupport RAT screenshot
NetSupport RAT
netsupport
NetSupport RAT is a malicious adaptation of the legitimate NetSupport Manager, a remote access tool used for IT support, which cybercriminals exploit to gain unauthorized control over systems. It has gained significant traction due to its sophisticated evasion techniques, widespread distribution campaigns, and the challenge it poses to security professionals who must distinguish between legitimate and malicious uses of the underlying software.
Read More
Sality screenshot
Sality
sality
Sality is a highly sophisticated malware known for infecting executable files and rapidly spreading across networks. It primarily creates a peer-to-peer botnet that is used for malicious activities such as spamming, data theft, and downloading additional malware. Sality has strong persistence mechanisms, including disabling security software, making it difficult to remove. Its ability to spread quickly and silently, along with its polymorphic nature, allows it to evade detection by traditional antivirus solutions.
Read More
Trojan screenshot
Trojan
trojan trojan horse
Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.
Read More
VanHelsing Ransomware screenshot
VanHelsing is a sophisticated ransomware strain that appeared in early 2025, operating via the Ransomware-as-a-Service (RaaS) model and targeting primarily USA and France. It threatens mostly Windows systems but has variants for Linux, BSD, ARM, and ESXi, making it a multi-platform malware. It is also notable for its advanced evasion techniques, double extortion tactics, and rapid evolution.
Read More
Tycoon 2FA screenshot
Tycoon 2FA
tycoon
Tycoon 2FA is a phishing-as-a-service (PhaaS) platform designed to bypass multi-factor authentication (MFA) protections, particularly targeting Microsoft 365 and Gmail accounts. Its advanced evasion techniques and modular architecture make it a significant threat to organizations relying on MFA for security.
Read More
Prometei screenshot
Prometei
prometei
Prometei is a modular botnet malware family that silently infiltrates systems, hijacking their resources for illicit Monero (XMR) mining. Active since at least 2016, it combines stealth, persistence, and lateral movement capabilities. Notable for its global reach and opportunistic infection strategy, it is also used for credential theft.
Read More